1852820 – (CVE-2020-10994) CVE-2020-10994 python-pillow: multiple out-of-bounds reads via a crafted JP2 file

Bug 1852820 (CVE-2020-10994) - CVE-2020-10994 python-pillow: multiple out-of-bounds reads via a crafted JP2 file

Summary: CVE-2020-10994 python-pillow: multiple out-of-bounds reads via a crafted JP2 ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-10994
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1852821 1852822 1854823
Blocks:	1852831
TreeView+	depends on / blocked

Reported:	2020-07-01 11:36 UTC by Marian Rehak
Modified:	2021-02-16 19:44 UTC (History)
CC List:	8 users (show)
Fixed In Version:	python-pillow 7.1.0
Doc Type:	If docs needed, set a value
Doc Text:	An out-of-bounds read flaw was found in python-pillow in the way JP2 images are parsed. An application that uses python-pillow to decode untrusted images may be vulnerable to this issue. This flaw allows an attacker to read data. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed:	2021-02-04 20:42:02 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:0420	0	None	None	None	2021-02-04 16:14:43 UTC

Description Marian Rehak 2020-07-01 11:36:45 UTC

In libImaging/Jpeg2KDecode.c in Pillow before 7.0.0, there are multiple out-of-bounds reads via a crafted JP2 file.

Pull Request:

https://github.com/python-pillow/Pillow/pull/4538

Upstream Advisory:

https://pillow.readthedocs.io/en/stable/releasenotes/7.1.0.html

Comment 1 Marian Rehak 2020-07-01 11:37:14 UTC

Created python-pillow tracking bugs for this issue:

Affects: fedora-31 [bug 1852821]
Affects: fedora-32 [bug 1852822]

Comment 3 Jason Shepherd 2020-07-02 01:32:03 UTC

Upstream commit: 

https://github.com/python-pillow/Pillow/commit/ff60894d697d1992147b791101ad53a8bf1352e4

Comment 4 Riccardo Schirone 2020-07-08 10:21:45 UTC

Statement:

This issue did not affect the versions of python-pillow and python-imaging as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include the JP2 image parser, where the flaw lies.

Comment 7 errata-xmlrpc 2021-02-04 16:14:41 UTC

This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420

Comment 8 Product Security DevOps Team 2021-02-04 20:42:02 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10994

Note You need to log in before you can comment on or make changes to this bug.